From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ralf Staudemeyer Date: Tue, 22 Jun 2004 16:45:05 +0000 Subject: Re: [LARTC] management of virus and p2p-traffic Message-Id: <1087944327.2861.61.camel@turtle> List-Id: References: <1087839362.4786.0.camel@turtle> In-Reply-To: <1087839362.4786.0.camel@turtle> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org On Tue, 2004-06-22 at 12:01, Ed Wildgoose wrote: > Ralf Staudemeyer wrote: >=20 > >On Tue, 2004-06-22 at 07:20, Ed Wildgoose wrote: > > > > =20 > > > >>The other stuff is easily possible, but for the number of users that yo= u=20 > >>have you are going to need to invest some time to write some scripts to= =20 > >>handle mapping users to MAC addresses and make the whole thing=20 > >>maintainable. There was another post only hours ago from at least one = > >>other person who you might contact to see if they will share some stuff. > >> > >> =20 > >> > >I wanted to avoid to do that MAC/IP-mapping. Some users have notebooks, > >some will change their working place and some will buy new hardware they > >want to connect to the network. This is not maintainable. Also I really > >do not want to know want the users do with their bandwidth. I just want > >to assure that things go fair and everyone can work with the network.=20 > > =20 > > >=20 > Well, in that case your problem gets easy really easy. Just pick up one = > of the prioritisation scripts - I like this one: >=20 > http://www.digriz.org.uk/jdg-qos-script/ >=20 > Then read the LARTC doc so you know what it's doing. At that should be y= ou up and running. >=20 > What you will be doing is just classifying traffic based on it's type and= ignoring the source, etc completely. >=20 It is not such easy since there is still the prioritisation problem. There are user groups who should not use p2p-traffic (public accessible machines for only surfing and email), some need some extra bandwidth (mirrors, powerusers), some need low latency for their Voice-over-IP or videoconferencing ... things like that. It is quite easy to group them to five groups. But I do not know how I should make sure that someone reconfigures the IP of a public accessible machine to get some extra rights. I thought to filter this with some transparent bridgewalls. But this makes it impossible to move with a machine of a higher prioritisation a subnet of lower prioritisation. The bridgewall will, and should, discard the packages. Even if I would start collecting MAC addresses it would be still quite easy to sniff the MAC/IP pair (isn=B4t it?). The script looks very promising.=20 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/